Analysis
-
max time kernel
135s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
28-04-2024 16:48
General
-
Target
05a30994821845197be5d1ebb616dbbb_JaffaCakes118.exe
-
Size
328KB
-
MD5
05a30994821845197be5d1ebb616dbbb
-
SHA1
0bf4c283b2ecac2d8d94074248403d89754c688f
-
SHA256
73a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c
-
SHA512
6bcffb9ec948aee21851e299a8a96a6c795c5546fad7d2f737ceb5f6d782975551b0f77e8e6c91450d5ee881f8e8d35eceb1944101eb94656b42a1e72c1e6073
-
SSDEEP
6144:a9zyYnK/Poydbl3rFLRN8kAZyubtSiTsflsyAC9RM4ATGtMHoLm:8sgKdrBRMdSOCPbxL
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+lebif.txt
teslacrypt
http://sondr5344ygfweyjbfkw4fhsefv.heliofetch.at/40FA5AFAA23B61ED
http://pts764gt354fder34fsqw45gdfsavadfgsfg.kraskula.com/40FA5AFAA23B61ED
http://yyre45dbvn2nhbefbmh.begumvelic.at/40FA5AFAA23B61ED
http://xlowfznrg4wf7dli.ONION/40FA5AFAA23B61ED
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (893) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a30994821845197be5d1ebb616dbbb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05a30994821845197be5d1ebb616dbbb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\jlsbaljyllwo.exeC:\Windows\jlsbaljyllwo.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_ReCoVeRy_.TXT3⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\_ReCoVeRy_.HTM3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe72a446f8,0x7ffe72a44708,0x7ffe72a447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,15662361338289944563,9529391403328732578,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:14⤵
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\JLSBAL~1.EXE3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\05A309~1.EXE2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+lebif.htmlFilesize
12KB
MD5f99315bc0c3259e1b0264f0ace036dcd
SHA1832da79a5fba7eb92e39d86bb345978f53203060
SHA256796c9eb28dc5f3efdc36cfc96b939748f9d3335872d4bf1e33c8535f2984d5fe
SHA5126d09f860e6c35d54c7738d5cb6b3e00652d88048eaf81b7186e5452f2ccd13d327349b1186d3436c1fbd40f86b04158916ab1c535218ecb521bd08c7fdb343cc
-
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+lebif.pngFilesize
65KB
MD5db6bf9d37c1a2cd332f1feb29851d9b8
SHA15bf8f8032277a3e78bf2bb39e5f1b64c1bcb7457
SHA25610b18bd1c7f87125e044d00e73749b506085635997d0a7627dd2ed598d9449d0
SHA512c306551997319526dcdd72c2ee5200a525a8fc751645eb0f57239e1a9f152b3f8a40e703e61c03c47d575d6b40f49e4447339051344d7b0b5a82888ec35dc0c3
-
C:\Program Files\7-Zip\Lang\_ReCoVeRy_+lebif.txtFilesize
1KB
MD509d1e613381ebbe2e395604eb3bb2a23
SHA1a78e7d578c9613b3d6ab92cedda1ced0325f9896
SHA256ace05de6fa4b6d9ca632cb19033747776d9f28305995d2d0fea95713bcabb665
SHA512e86f1e4e3ddaba954aed2505c889b16c31198dfb39378777e657a698ab97215de3eb97ec085f6cf9f7eebee781db2ccee4217f0bc0b7b62c672edb9ba3bdb83b
-
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txtFilesize
560B
MD5809f283d585f87108787fabd6444e722
SHA1a84fea6941f8086403d92856626294a81cdbf06e
SHA2561427d6a6da7c744e92d56278c7be1bca8f1380491c52f98566cd3c5a1586ec40
SHA512672613a577b8c8a50cb3c439f80feaa3b78530c30e0cc3087817976ecf5ae82c95b9029b82bb76f4e7d0ce3ced3e5599fad84dc700e4ed0586614ac92fd82e13
-
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txtFilesize
560B
MD56b2699361cef3231e918d48d428c8a09
SHA1b9e863cee582f0b62dc04a3a316208c81eb94a46
SHA256bc06834e19bff679e5d47b90e18c053dd7d38d9150a212f8fe90eb8ed0d7b87a
SHA512d82c560443167e0a76d6e093c413c69103bc0b3024b088c542cc8bde4faeba7f2c876df6762503da222108d1207444f207b590f75edf6097eabde0e298034c71
-
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txtFilesize
416B
MD5f43ca9a484c1897630f4125534cc344f
SHA126be1132ff3a91d2059e99dd24a1d54936658123
SHA256f2da53c94153595d6ed74705cd85312f020b739708f72e5b1dee7b5b13d626d4
SHA512d869f2907dfcbdb0a96ec3c701e3ef5d5c8029b4796a035570c01c62523c4fc0b3b2fa13c20f680c441eafba4e25cc5ea1c0c90c8d5e6d0a72acc57daf756020
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a9e55f5864d6e2afd2fd84e25a3bc228
SHA1a5efcff9e3df6252c7fe8535d505235f82aab276
SHA2560f4df3120e4620555916be8e51c29be8d600d68ae5244efad6a0268aabc8c452
SHA51212f45fa73a6de6dfe17acc8b52b60f2d79008da130730b74cc138c1dcd73ccc99487165e3c8c90dc247359fde272f1ec6b3cf2c5fcb04e5093936144d0558b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dbac49e66219979194c79f1cf1cb3dd1
SHA14ef87804a04d51ae1fac358f92382548b27f62f2
SHA256f24ed6c5bf4b734a9af4d64e14a80a160bea569f50849f70bf7b7277c4f48562
SHA512bb314d61f53cf7774f6dfb6b772c72f5daf386bc3d27d2bb7a14c65848ee86e6c48e9c5696693ded31846b69b9372a530175df48494e3d61a228e49d43401ad1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57a0083feb33a40afb00513339dedeb22
SHA1d4367b84eea7518ef62d863d86098ffc5bed5a64
SHA25661fa3c27c2dd2039052be1a9b5c5ea22e9a48a6a90b317368469f50da1e23d0c
SHA51239011bc2c45da8c0385a311e76b07cc1f5a5699c6f6a3fe2fdaeb297a50fcbd0a6fa74c894cd4db5cbd8390433a6a7b46eb87399c63c93d55868f264f26dac49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5dc6700a7054fc638b1a5d30abafe58cc
SHA12c32dec8a1f89003dfaa00891eee8502e4b20bc5
SHA25664cebeaa645a27938f85139bf718b5857241e617957760ae3be9dd986740e039
SHA5125dc3403dbe1b3f380f350402b1aedcb3efdb147e8230c74f404f7942398df86810e54c3810f585c2cd04d463160fa78a5150c04661afeb4aed5cfd01daca343c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5f562f1a12042b320f5a2f666364bb1e2
SHA1bc1221502c82ce40270cb67da2966b8e0901da52
SHA2564bfa50999026debf110a8b3a4cee5f30d97093740a041b12a11444478a39dd94
SHA51239522e5c2fd4417bd40637c32327b72344bff59d7192bb9ed6d4d56bab9b60fac804b8e933c21c1c28632d9af81dbee20caffe58e43b27444865045c9c5d7203
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838338840824.txtFilesize
77KB
MD56373beb912e6d82d2c6c4cf265df2ca0
SHA1435beab28b8fffa436de7e5c081cb35afdf7b2d8
SHA2563a56d630433f36c86dcf7c139523de0f2ab5b5d0bbf313eea71225128869017c
SHA5125a7dc7ef197ba54e9fd22d64f756f6452559a6d6d189f1581ac642ed294f0c5e28d89e30f39694bc6bcf3476e306c1be3eb488193c7a58bfc5bffb9e3c89922d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579840260629574.txtFilesize
47KB
MD589f8644a7a211e318878fefb56d4ed4a
SHA103a15617b76d2b2d90ce38791009b3476c41744d
SHA2568a8dd879bb4bf7069f90f660edf787bd25af56fdacfe4d79dedb8d7c61780d3c
SHA512c6d73db2efc4df0c5add6dab737ad8f6a2763aa75a3e57cba46bcbcdbd50d561369110522769bdce9af31880fa98615a028b6921419b188bdf821aa148a44032
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579848943443912.txtFilesize
75KB
MD53bdacdfd1fb384e84a1f9f268d27beee
SHA13a111bab8a320f5e429dcb1130252e6f9b205757
SHA256979b7ac27137deb46c1756e54a264d8149eddd6da3cd41c38611152a00835fee
SHA5120f974a122d27cd4621a4c8378afa8de62c4202f2955b37435e45db2a54d9cb2c685d34bd74dd89e00078123e70e80b700b67b47316d1cc830888c921797a8002
-
C:\Windows\jlsbaljyllwo.exeFilesize
328KB
MD505a30994821845197be5d1ebb616dbbb
SHA10bf4c283b2ecac2d8d94074248403d89754c688f
SHA25673a2ed1606f22e828554948d7f79dd99f2858bc3465e5065abcbf90d98583b3c
SHA5126bcffb9ec948aee21851e299a8a96a6c795c5546fad7d2f737ceb5f6d782975551b0f77e8e6c91450d5ee881f8e8d35eceb1944101eb94656b42a1e72c1e6073
-
\??\pipe\LOCAL\crashpad_2560_HLYRAWLYOOKISNXRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/244-0-0x00000000022B0000-0x0000000002336000-memory.dmpFilesize
536KB
-
memory/244-13-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/244-14-0x00000000022B0000-0x0000000002336000-memory.dmpFilesize
536KB
-
memory/244-2-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3416-3641-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3416-10562-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3416-10553-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3416-10116-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3416-6738-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/3416-12-0x0000000002170000-0x00000000021F6000-memory.dmpFilesize
536KB
